I am running into issues, that a multi-level subdomain is not working with Cloudflare provided wildcard SSL, as the certificate itself only protects two levels of your domain, one is apex level, and another one is a subdomain of apex level.

This is kinda frustrating when migrating large sites to Cloudflare, and is losing all the subdomains. My own SSO server stays at padlock.something.mydomain.com, and this is the case that Cloudflare Wildcard SSL is not working at all. Once I turn on the orange cloud for that DNS record, browsers immediately prompt SSL errors.

I am hoping there are people who can shed some lights on this, since it has been itchy long time ago.

The help portion which references *.secure.example.com is in the origin certificate help. Origin certificates are used for the securing of connections between Cloudflare and the origin. Origin certificates are not signed by a public CA and aren't trusted by end user browsers. They are intended to provide validation for secure authentication between Cloudflare and the server where the content resides (and re installed and configured on those origin servers). The certificates which are presente…

Unfortunately that’s all the assistance I can provide, but Im sure someone from Cloudflare will pop onto this thread at some point

This is a limitation of SSL in general. No browsers support multi-level wildcard certificates and no trusted CA will issue them. The free universal SSL certificate provided by Cloudflare supports the root and wildcard domain on a shared certificate. For more levels, dedicated certificates or custom host names a different certificate is needed. Some/most of these can be obtained through Cloudflare if you wish or for certain certificate types/orgs business and ENT plans support uploading a custom certificate purchased elsewhere.

How do you have your SSL certificate configured/managed for the sites currently?

Currently we have a over 100 wildcard certificate installed, and all of them are signed individually by CAs, like *.foo.example.org and *.bar.example.org. This was the original design for our architecture, and it works flawlessly until Cloudflare sits in place, breaking the fourth level of domain on SSL transport.

Due to the current situation, some of the domain has been offloaded using Secondary DNS, to reroute for better SSL support. Needless to say this generated quite an amount of cost, only purchasing a dedicated profile on DDoS mitigation and SSL support.